g_mallocate the encrypted key, but free it in all paths out of the function.
It doesn't need to persist after the function returns. Change-Id: Ic601a6ef6a0aa0f22f9c8b9a1c586cec95093f27 Reviewed-on: https://code.wireshark.org/review/12805 Reviewed-by: Guy Harris <guy@alum.mit.edu>
This commit is contained in:
parent
830f30a705
commit
6ede7d4ba3
|
@ -346,7 +346,7 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
|
|||
}
|
||||
|
||||
/* Encrypted key is in the information element field of the EAPOL key packet */
|
||||
szEncryptedKey = (guint8 *)wmem_memdup(wmem_packet_scope(), pEAPKey->ie, key_bytes_len);
|
||||
szEncryptedKey = (guint8 *)g_memdup(pEAPKey->ie, key_bytes_len);
|
||||
|
||||
DEBUG_DUMP("Encrypted Broadcast key:", szEncryptedKey, key_bytes_len);
|
||||
DEBUG_DUMP("KeyIV:", pEAPKey->key_iv, 16);
|
||||
|
@ -420,6 +420,7 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
|
|||
|
||||
if (rsn_id != 0xdd){
|
||||
if (key_index+1 >= key_bytes_len){
|
||||
g_free(szEncryptedKey);
|
||||
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
|
||||
}
|
||||
key_index += decrypted_data[key_index+1]+2;
|
||||
|
@ -429,8 +430,10 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
|
|||
}
|
||||
|
||||
if (key_found){
|
||||
if (key_index+8 >= key_bytes_len)
|
||||
if (key_index+8 >= key_bytes_len) {
|
||||
g_free(szEncryptedKey);
|
||||
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
|
||||
}
|
||||
|
||||
/* Skip over the GTK header info, and don't copy past the end of the encrypted data */
|
||||
memcpy(szEncryptedKey, decrypted_data+key_index+8, key_bytes_len-key_index-8);
|
||||
|
@ -440,6 +443,7 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
|
|||
key_len = (sa->wpa.key_ver==AIRPDCAP_WPA_KEY_VER_NOT_CCMP)?TKIP_GROUP_KEY_LEN:CCMP_GROUP_KEY_LEN;
|
||||
if (key_len > key_bytes_len) {
|
||||
/* the key required for this protocol is longer than the key that we just calculated */
|
||||
g_free(szEncryptedKey);
|
||||
return AIRPDCAP_RET_NO_VALID_HANDSHAKE;
|
||||
}
|
||||
|
||||
|
@ -454,6 +458,7 @@ AirPDcapDecryptWPABroadcastKey(const EAPOL_RSN_KEY *pEAPKey, guint8 *decryption
|
|||
/* AirPDcapRsnaMng() function will extract the right piece of the GTK for decryption. (The first 16 bytes of the GTK are used for decryption.) */
|
||||
memset(sa->wpa.ptk, 0, sizeof(sa->wpa.ptk));
|
||||
memcpy(sa->wpa.ptk+32, szEncryptedKey, key_len);
|
||||
g_free(szEncryptedKey);
|
||||
return AIRPDCAP_RET_SUCCESS_HANDSHAKE;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue